How is CVE-2026-53825 exploited?

Network reachability (required): The vulnerable memory-wiki ingest endpoint is exposed over the network, so an attacker must be able to reach the OpenClaw service remotely. Authentication (required): The attacker must hold a valid account with operator.write scope; any low-privilege account carrying that scope is sufficient. Victim interaction (not-required): No action from another user or administrator is needed to trigger the file read. Attack complexity (info): Exploitation is reliable and condition-free; no race conditions or special environmental factors are required.

What is the impact of CVE-2026-53825?

An attacker reads arbitrary files from the local filesystem of the host running OpenClaw, including configuration files, secrets, and credentials stored on disk. Sensitive data such as API keys, private certificates, or environment files outside the intended ingest directory can be exfiltrated by importing them into wiki memory. Host-level file contents become visible inside the wiki memory store, potentially exposing data to other users with wiki read access.

Back to search

HIGHCVE-2026-53825Published 2026-06-12Modified 2026-06-15CNA VulnCheck

CVE-2026-53825: OpenClaw < 2026.4.7 - Arbitrary Local File Read via memory-wiki Ingest with operator.write Scope

Q: What is CVE-2026-53825?

An arbitrary local file read vulnerability affects OpenClaw versions before 2026.4.7, found in the memory-wiki ingest feature. The flaw is reachable over the network by an authenticated user holding operator.write scope, meaning no admin-level access is required. Successful exploitation lets an attacker read arbitrary files from the host filesystem by specifying malicious paths during a wiki memory ingest operation. A patched-image rebuild at version 2026.4.7 is available on HarborGuard for environments running an affected version.

Q: How is CVE-2026-53825 fixed?

A patched-image rebuild at OpenClaw 2026.4.7 becomes available on HarborGuard for any image found running an affected version. For customers who opt into auto-remediation, HarborGuard can perform the rebuild, run regression tests, and open a pull request against affected workloads automatically.

OpenClaw before 2026.4.7 contains an arbitrary file read vulnerability in the memory-wiki ingest feature that allows authenticated Gateway operators with operator.write scope to read local files outside intended ingest sources. Attackers with operator.write access can specify arbitrary local file paths to import file content into wiki memory, bypassing access restrictions.

CVSS v4.0: 7.1
Severity: HIGH
Fixed in: 2026.4.7
Affected Products: 1

HarborGuard Analysis

Synopsis

An arbitrary local file read vulnerability affects OpenClaw versions before 2026.4.7, found in the memory-wiki ingest feature. The flaw is reachable over the network by an authenticated user holding operator.write scope, meaning no admin-level access is required. Successful exploitation lets an attacker read arbitrary files from the host filesystem by specifying malicious paths during a wiki memory ingest operation. A patched-image rebuild at version 2026.4.7 is available on HarborGuard for environments running an affected version.

HarborGuard Coverage

Detection

Detection of CVE-2026-53825 is available across every HarborGuard environment, with the CVE matched against customer images within minutes of ingestion from upstream feeds including the VulnCheck advisory. Coverage extends to custom-built images that bundle OpenClaw, not just upstream base images.

Available

Triage

HarborGuard is capable of scoring this finding at CVSS 7.1 HIGH and weighting it against each environment's compliance policy to determine urgency. Per-org routing rules can direct the alert to the team or inbox responsible for OpenClaw workloads.

Available

Patch

A patched-image rebuild at OpenClaw 2026.4.7 becomes available on HarborGuard for any image found running an affected version. For customers who opt into auto-remediation, HarborGuard can perform the rebuild, run regression tests, and open a pull request against affected workloads automatically.

Available

Exploit Conditions

Network reachabilityRequired
The vulnerable memory-wiki ingest endpoint is exposed over the network, so an attacker must be able to reach the OpenClaw service remotely.
AuthenticationRequired
The attacker must hold a valid account with operator.write scope; any low-privilege account carrying that scope is sufficient.
Victim interactionNot required
No action from another user or administrator is needed to trigger the file read.
Attack complexityDetail
Exploitation is reliable and condition-free; no race conditions or special environmental factors are required.

Blast Radius

An attacker reads arbitrary files from the local filesystem of the host running OpenClaw, including configuration files, secrets, and credentials stored on disk.
Sensitive data such as API keys, private certificates, or environment files outside the intended ingest directory can be exfiltrated by importing them into wiki memory.
Host-level file contents become visible inside the wiki memory store, potentially exposing data to other users with wiki read access.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-53825 activates as soon as the advisory is ingested, matching any image that bundles a vulnerable OpenClaw release against the affected version range (all releases before 2026.4.7). A rebuilt image at the fixed version is available for affected environments. For customers who opt into auto-remediation, HarborGuard can perform the image rebuild, execute a regression-test run, and open a pull request against affected workloads; for high-severity issues, the median time from CVE publication to merged patch PR is around 90 minutes in environments with auto-remediation enabled. Where compliance policy requires manual approval before remediation, the finding is routed to the appropriate team inbox with the CVSS score, affected image list, and fix-version details attached. As a compensating control for environments that cannot upgrade immediately, restricting operator.write scope to trusted principals and applying network policy to limit inbound access to the OpenClaw ingest endpoint reduces the exploitable surface until the patched image is deployed.

See how HarborGuard automates this

Fix available

2026.4.7

Affected packages

OpenClaw / OpenClaw
< 2026.4.7 (from 0)
Fixed in 2026.4.7

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

References

Metrics

Get notified

HarborGuard Analysis

Synopsis

HarborGuard Coverage

Exploit Conditions

Blast Radius

How HarborGuard Handles This

Fix available